As previously discussed at multiple conference and in this blog,
KoreLogic worked on the PathWell project for the DARPA Cyber Fast
Track program. PathWell identifies and blocks common passwords based
upon common password topologies and learned user behavior.

The PathWell software is not yet public, but people have frequently
asked us to publish the list of the most popular topologies within
enterprises that we compiled during that research. So, that is what we
are doing today.
The topologies listed below are not based on public password leaks,
but instead on sanitized, merged real data from environments that are
known to enforce password complexity. If you create your own
topologies based off the common "RockYou" word list, yours will look
different. In an enterprise environment, users are forced to follow
password policy with concern to length, makeup, etc. Password
expiration is almost always enforced as well. But as previously
mentioned by KoreLogic, these policies actually introduce
vulnerabilities. By using password topologies in your cracking
program, you can abuse the human nature aspect of password creation.

These topologies can easily be plugged into a password cracking
program such as HashCat or
oclHashcat.

As a test, take the first 100 topologies listed below, and run them
against your password hashes from a corporate environment. Without
ever supplying a wordlist, or ruleset, you might able to crack
anywhere from 60% to 90% of all user passwords. Depending on your
users and your specific policies, of course.

This data is based on a decade of password hash collection and
cracking in corporate environments. We also use these topologies as
part of our PRS
(Password Recovery Service). This is in addition to years of
research into word selection, rule generation, etc.

Enough talk, here are the first 100 topologies, in order of likelihood
of success across a variety of different enterprise networks. This is
obviously just a sample of all topologies we have discovered over
time. But it's a great start.